Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Security researcher Charlie Miller will deliver the keynote speech June 9 at the International Conference on Cyber Conflict. The conference, in its third year, is sponsored by the NATO Cooperative Cyber Defence Center of Excellence and will take place in Estonia.

Miller's keynote, entitled "Why the Bad Guys are Winning the InfoSec War," will use the recent security breaches at PBS.org, RSA Security and HBGary Federal as examples, Miller told eWEEK. Miller analyzed recent events and determined that the common denominator across all the incidents was unknown vulnerabilities and zero-day exploits.

"You are doing everything right, but the bad guys are coming in because they know about vulnerabilities no one else does," Miller said.

Enterprises and governments for the most part have been doing security long enough that they know they have to keep their systems patched. But when most attacks involve a zero-day exploit, no patch is available. Organizations don't even know they are vulnerable, Miller said.

Further reading

In the case of PBS.org, Lulz Security, a group of cyber-pranksters usually out for laughs (or lolz) did not like the way whistleblower site WikiLeaks was portrayed in the Frontline documentary WikiSecrets. They uncovered a zero-day vulnerability in Movable Type 4, the content-management system used by PBS, and broke in, defacing the site and posting a fake news story about Tupac Shakur supposedly being alive.

Miller blamed the software vendors for the situation. Companies are shipping products with bugs and issues they haven't fixed, and the ones suffering for it are the customers and end users, Miller said. The malicious Excel spreadsheet that attackers used to exploit a zero-day vulnerability in Flash did not affect Microsoft or Adobe, but instead, RSA Security, back in March, Miller said.

The company that actually makes the software has little incentive to make the investment to ship bug-free code, according to Miller. It's difficult and expensive to write secure code. As long as companies don't see a direct benefit to being secure, they won't spend the extra time, resources and money to address bugs.

Companies like Microsoft and Apple should be focusing on better coding practices and check for bugs during development. Before the product ships, they should have a security team or outside researchers come in as consultants to help look for bugs in the code, according to Miller.

Miller also suggested that the software industry and its customers have to give some incentive for researchers and security consultants to devote their time and effort to looking for security holes and then reporting them to the vendors. "Researchers can report to the company and get their names on a Website when the patch comes out, or they can sell it to a bad guy on the black market and make some money," Miller said. "We shouldn't be putting people in that position to have to choose in the first place," said Miller.

Miller said a bounty program like the one Google has for its Chrome Web browser is a step in the right direction because it gives researchers incentive to look for and report issues.

The battle is harder for the software vendors to fight, since they have to ensure every bug is addressed, while the attackers just have to find one, according to Miller.

Attackers aren't using all the exploits they find at once, either. Many of them hold zero-day vulnerabilities in reserve so that they always have a backup attack method to fall back on after the company fixes the flaws that come to light.

Miller cited some statistics from an organization that does penetration testing. The average lifespan of a zero-day vulnerability is 348 days, Miller said. That is, it takes nearly a year for a zero-day to be patched from the day it is reported. The fastest a zero-day that an organization reported got fixed was 99 days, and the slowest was over three years, according to Miller.

If companies were doing a better job testing and fixing bugs before shipping each new version, it would be "harder to hang onto the zero-day," Miller said.

Miller is currently a principal research consultant for Accuvant Labs, a company that specializes in penetration testing, application and enterprise security assessments, and vulnerability research. Miller is also well-known for hacking Apple products. He co-wrote The Mac Hacker's Handbook with Dai Zovi and has won three Pwn2Own contests at CanSecWest for successfully compromising up-to-date, fully patched MacOS X systems and iPhones.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.